×

Discussion Board

Results 1 to 8 of 8
  1. #1
    Registered User
    Join Date
    Jul 2003
    Posts
    37

    Which code signing service to use?

    Dear all,

    I am looking for advice on which company’s code signing service I should use to sign J2ME games:

    1. Baltimore
    2. Entrust.net
    3. GeoTrust
    4. GTE Cyber
    5. Nokia
    6. RSA
    7. Testing ACS
    8. Thawte
    9. (not VeriSign – see below)

    On the bases that:

    1. It covers widest range of most popular phones at present
    2. It works in a straight forward way
    3. It covers widest range of most popular phones into the future

    Any suggestion or experience sharing are most appreciated.

    qmei from London
    Last edited by qmei; 2006-08-18 at 07:19.

  2. #2
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Have a search. You have only two choices: VeriSign, Thawte and Java Verified. You have to go for two out of the three and because Java Verified needs testing of your MIDlet for each series, I recommend this only when you really need it for your sales channel.

    I have not read the rest of your message. Please, have a search here, too. We have discussed and solved that VeriSign intermediate certificate issue so often…
    Last edited by traud; 2006-08-07 at 21:52.

  3. #3
    Registered User
    Join Date
    Jul 2003
    Posts
    37

    Re: Which code signing service to use? Plus bad experience with VeriSign

    Hi traud,

    Thanks again for contributing your idea. I can’t use VeriSign because they require one root certificate from the phone manufactured probably from end of 2005 and majority of our customers’ phones were manufactured before end of 2005.

    There are 8 other companies who provide root certificates for code signing. My question is which one is most appropriate or cost effective.

    Could you explain why you only mention Thawte? Don’t the rest do code signing for MIDlets?

    You’ve mentioned Java Verified. Sorry about my silliness but how does this work for code signing, and where is the root certificate for Java Verified?

    I don’t intend to look for ways to make VeriSign code signing work for my phones, since my interest is to sign MIDlets so that it works for any phones at our customer’s hand without them doing any extra work.

  4. #4
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Please have a look at the provided link. It is you, making something wrong. Once you fixed your JAD, it will work for your customers out of the box.

    Additionally, buy a Thawte and use the same public key (no idea how that works) and you cover all Nokia and all Sony Ericsson devices which allow 3rd party developers and are not crippeled by the operators.

    Have a look at the permissions of the other root authorities, only VeriSign, Thawte, GeoTrust (Java Verfied) and Nokia are allowed for code-signing.

    Please have a look at that link and forget anything VeriSign told you.

  5. #5
    Registered User
    Join Date
    Jul 2003
    Posts
    37

    Re: Which code signing service to use? Plus bad experience with VeriSign

    Thanks a gain and I had a good look again at the thread you suggested. Seems to me either I am REALLY wrong which I still don’t know where, or I did not express myself clearly and you’ve mis-understood me.

    The current saturation is:

    1. On my testing cases, after using Carbide.j or WTK 2.5, the MIDlet-Certificate-1-2 is already in my jad files. The signed MIDlet works FINE with Nokia E61, manufactured in Q4 2005. But they failed to work with my other testing phones, all of them manufactured in 2004.
    2. On another Nokia registered user chgru’s testing cases, he/she managed to run the signed code on his testing phones, Nokia N70 and 6680, all manufactured in 2005, so long as the MIDlet-Certificate-1-2 is present in jad file. (the early failure is because the tool used only gets root certificate into the jad but not intermediate one)
    3. VeriSign’s code signing uses one class 3 CA root certificate which is visible/present from all testing phones I see. It also uses one intermediate certificate which is not visible from any of the testing phones whether it is actually present on the phone or not. For those phones the signing worked must have intermediate certificate present already.

    My conclusion is since the intermediate certificate is only valid from July 2004 from VeriSign’s point of view – a fact! The phone manufacturer might install this intermediate certificate implicitly in a much later stage, say after 6 months. This means no phones manufactured before early 2005 would be able to use VeriSign’s code signing service since the signed code will always end in failure at installation stage since no intermediate certificate is available from those phones.

    If this is the case for VeriSign, are there any other companies in a better situation, e.g. if they require an intermediate certificate, which is valid from an earlier date?
    Last edited by qmei; 2006-08-08 at 12:18.

  6. #6
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Intermediates are your job to include in your JAD. It is just the root which matters.

    You have to check the path back to your root. Your root should be the VeriSign code-signing class 3 one which is valid from 1996 till 2028. Then your intermediate is validated against that one. So your code-signing certificate which is issued for 2006 should work on devices from 1996 and up.

    Nevertheless, it depends on your root path. Perhaps you got the wrong certificate. This beast costs 400 bucks and I do not know why you do not want to resolve this issue. Anyway, your only other option is Thawte and I recommend a pair of VeriSign/Thawte for best compatibility. Go for Java Verified only when forced to.

    As written in the other thread, take these JAD fields, paste them to a new text document and import this into a certificate repository like Firefox and test these JAD fields are correct.

    Signing is complicated. Once I had a missing carriage return at the end of my JAD. Cost me a day. Additionally, as far as I know the Nokia Series 60 3rd Edition has this intermediate cert on board. Actually a waste of space. Just a convient thing as far as I can tell.
    Last edited by traud; 2006-08-08 at 15:25.

  7. #7
    Registered User
    Join Date
    Jul 2003
    Posts
    37

    Re: Which code signing service to use? Plus bad experience with VeriSign

    Hi traud,

    I agree with you that the main CA certificate used to sign the MIDlet has to be on the phone by default.

    However there seem to be some difference between your other believes and mine:

    1. I believe if right tool is used, the intermediate certificate goes automatically into the jad file and no need to do any manual work – this is true for my case (I used Carbide.j and WTK2.5 – same effect), which worked out of box for my nokia E61. But same signed code failed on other phones manufactured in 2004.
    2. I believe for the code signing to work, the intermediate certificate has to be on the phone by default from an end-user's perspective.

    My point is: if the intermediate certificate is not on the phone, the code signing will not work, whether you use VeriSign or Thawte - both companies not just use main CA certificate, but also use an intermediate certificate.
    Last edited by qmei; 2006-08-09 at 08:17.

  8. #8
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    No, the intermediates are your (JAD) job. As the other thread shows even recent tools seem to have problems with these intermediates – no idea why. Do it by hand, debug it and forget that tools.

    I have no clue what is wrong in your case as you never ever posted any MIDlet-Certificate-x-y properties. Nevertheless, you should be able to debug it yourself and check if all intermediates – and the correct ones – are in your JAD and if these link up to the correct root. The intermediates are your job. Some (Nokia) devices have them on board, however, just out of convenience for developers. Never saw an intermediate on a Sony Ericsson …

Similar Threads

  1. Replies: 4
    Last Post: 2006-09-05, 15:15
  2. 6680 and bluetooth service profiles
    By ceruault in forum Mobile Java Networking & Messaging & Security
    Replies: 1
    Last Post: 2005-10-08, 22:24
  3. Service Registration question
    By asmatic in forum Mobile Java Networking & Messaging & Security
    Replies: 1
    Last Post: 2005-07-21, 10:04
  4. BTSPP service
    By rapajic in forum Bluetooth Technology
    Replies: 0
    Last Post: 2005-06-16, 13:02
  5. Service Discovery
    By jimdeal in forum Bluetooth Technology
    Replies: 1
    Last Post: 2003-09-25, 09:41

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×